Maintaining data securely is often an important consideration in data management systems. Not only must the data be secure from physical attacks at the site of the data storage but the data must be able to be communicated from one location to another without fear of unauthorized interception even when one of the locations is not itself secure. However, data stored on a computing device is subject to access by the operating system and even when protected from unauthorized operating system access or unauthorized access by application software, it is possible to compromise the operating system thereby gaining access to the secure data.
Often it is necessary to give certain people access to extremely sensitive information for limited periods of time with the understanding that the information will not become compromised, improperly disseminated, improperly retained, and/or improperly modified. When the people requiring such information access are using portable devices such as computers, PDAs and the like, the information provider must be comfortable that the portable devices are secure from tampering and that the communications to and from the portable devices is secure from compromise by an adversary. Even when the portable devices are ones that the data provider has supplied (or are otherwise familiar with) the security problem is difficult to manage. When the portable devices to which sensitive data is to be transferred are unknown to the provider then the problem of maintaining a high level of trust is difficult to achieve.
One scenario in which sensitive data must be distributed to various locations arises in emergent conditions (such as a fire in a large building, terrorism attack, medical emergency, etc.) where data critical to saving lives must be quickly disseminated to first responders and where that data is highly sensitive in nature. For example, it could be critical for the proper evacuation of a building for the first responders to have images of the physical structure of the building including office layouts, names of employees, and perhaps their medical conditions. Also, safes and other sensitive areas may have to be entered to protect life and/or property. This highly sensitive data ideally should be available on portable devices carried by the first responders and only available for the period of time necessary to handle the emergent condition. For purposes of discussion herein, the term transient trust is defined as the ability to access protected information for a limited time under certain conditions.
Under present security management systems, the data on those portable devices can be easily compromised during transmission, during usage, while in local storage, and after the emergent condition has ended and thus there is a low transient trust level when sensitive data is allowed to reside on portable devices.
Encryption of data has been used for many years to secure communications among different entities. Encryption requires keys to decode the secure communications and therein lies one of the problems with sending data to remote devices, namely, the remote device requires a key for decryption of the transmitted and or stored data.
If it could be assured that both ends of a communication link are secure (from network attacks, software attacks, as well as physical attacks, then secure storage of the keys is a concern that is manageable by the entity requiring security for its data. However, devices that are in non-secure physical environments (such as with first responders) or devices that operate in a non-secure operating environment (such as PCs) give rise to major concerns over the confidentiality and integrity of data transmitted to or from such devices as well as to the confidentiality and integrity of data stored in such devices.
Security is one of the critical requirements for the deployment of lightweight wireless ad hoc networks which consist of nodes, such as low-cost sensors or embedded devices. These networks are ideal for applications like environmental surveillance and emergency response. The nodes in such networks are typically highly distributed without a centralized controller, and each node has very limited computation and energy resources. It is thus a challenging task to maintain a high security level in such networks.
Key management is the cornerstone of secure communication when cryptographic techniques are used for security. For lightweight ad hoc networks that are typically deployed in hostile environments, adversaries can easily capture the nodes and try to extract the keys from them, leading to severe security threats to the network. Thus, a secure-architecture-based technique is needed to protect the keys in the captured nodes, thus key management schemes must be robust even in the face of node capture.
Key management is also the cornerstone of secure storage and the provision of a secure execution environment in processing secure data, assuming the use of strong cryptography to provide security properties like confidentiality and integrity.
Software can implement flexible security policies desired by the application, but this software must be strongly protected if it is to carry out these policies faithfully. If an adversary can modify security policies implemented by an application by modifying this software, then security is violated.